Instance scan check - need help

I would like to create a scan check that checks if an inactive/deactivated field added to an update set has an active ACL associated. 

I created a script-only scan check and it returned test findings back. I added to the scan check suite but when I test deactivating a sample field with an active ACL and scan my update set, no scan findings appear. I have the currentSource set to update set in my gliderecord.
I switched to using a table check on sys_dictionary where active=false and added a script but that also did not work.

Can anyone please check these scripts to see if I am doing anything wrong?

Script-Only Check

(function(engine) {

var dictionaryGR = new GlideRecord('sys_dictionary');
dictionaryGR.addEncodedQuery('active=false');
dictionaryGR.query();

while (dictionaryGR.next()) {
var field = dictionaryGR.element.toString();
var table = dictionaryGR.name.toString();
var acl = table + '.' + field;

var aclGR = new GlideRecord('sys_security_acl');
aclGR.addQuery('active', true);
aclGR.addQuery('name', 'CONTAINS', acl);
aclGR.query();

if (aclGR.hasNext()) {

var xml = new GlideRecord('sys_update_xml');
xml.addQuery('payload', 'CONTAINS', field);
xml.addQuery('payload', 'CONTAINS', '<active>false</active>');
xml.query();

while (xml.next()) {
var updateSet = xml.update_set;
if (updateSet) {
var updateGR = new GlideRecord('sys_update_set');
if (updateGR.get(updateSet)) {

finding.setCurrentSource(updateGR);
engine.finding.increment();
}
}
}
}
}

})(engine);

Table check w script

Conditions- active = false

Table- sys_dictionary

(function(engine) {

var table = engine.current.name.toString();
var field = engine.current.element.toString();
var acl = table + '.' + field;
var grACL = new GlideRecord('sys_security_acl');
grACL.addQuery('name', acl);
grACL.addQuery('active', true);
grACL.setLimit(1);
grACL.query();

if (grACL.hasNext()) {
gs.info('ACLS found ' + acl);
engine.finding.increment();
} else {
gs.info('No acls' + acl);
}

})(engine);